GandCrab v4.1 – ransomware that showed up quickly after its predecessor

GandCrab v4.1 is a ransomware that added network communication feature

GandCrab v4.1 ransomware is a crypto-virus and a continuation of the infamous GandCrab v4 ransomware. It encrypts files using a complicated encryption algorithm and adds a .krab appendix to each of the affected files. The data locker does not modify wallpaper but drops a ransom note in the text format in each of the affected folders – krab-decrypt.txt. Hackers demand to pay the ransom of $1200 in DASH cryptocurrency for data release. The main difference from its previous variant is that the virus added network communication feature.[1] Additionally, the GandCrab v4.1 ransomware does not use the Command and Control server anymore, allowing it to spread without the internet connection.

According to security experts, GandCrab v4.1 virus is mostly distributed through fake websites that look identical to those that host cracked software, keygens, and similar. Nevertheless, as it is typical of data encrypting viruses, they can also spread via spam emails, break through the RDP, and similar methods.

There have been speculations that GandCrab v4.1 crypto-malware spreads via SMB exploit, which was used by WannaCry and Petya cyber attacks, although security experts did not find any evidence for that. However, they did not reject the possibility that the feature could be introduced in the next malware version. Therefore, users should make sure that the MS17-010[2] patch is implemented on their machines.

To ensure encryption of files, GandCrab v4.1 kills several .exe processes, allowing malware to execute its purpose successfully. The virus targets a variety of files, such as:

MS Office/OpenOffice documents

Archives

Databases

Photos

Video

Image

Music, etc.

As soon as the .krab extension is added to each of personal files, they become unusable. Note that they are not damaged, but encoded. To get them back, users need to obtain decryption key that is stored on a remote server which is only accessible to cybercriminals. Nevertheless, users should ignore hackers and take care of GandCrab v4.1 removal first – we recommend using anti-malware software such as Reimage or Plumbytes Anti-MalwareNorton Internet Security instead of trying to eliminate the threat manually. Victims can then proceed to retrieve personal data using backups or third-party applications.

GandCrab v4.1 ransomware as a long list of hard-coded websites it communicates with to send out the information about victims. The malware generates an URL address for each host in the following format: http://{host}/{word1}/{word2}/{fname}.{extension}, for example: www.{host}.com/uploads/pics/potekim.gif. This functionality does not seem logical, as sending data of the victim to each of the hosts seems useless, considering one send-off would be enough to fulfill the purpose.

Additionally, the hard-coded websites were not designed to act as GandCrab servers or the virus carriers. Therefore, security experts think that this functionality is experimental or is only there to divert researchers from the correct analysis.

A ransomware-type virus is hazardous and can lead to permanent loss of personal data. Nevertheless, to ensure normal operation of the PC, users should hurry and remove the GandCrab v4.1 virus from their computers by using reputable security software.

Be careful online and avoid nasty ransomware infections

When it comes to internet safety, users are not careful. At least not careful enough. Even though ransomware has been one of the most elaborated topics when it comes to cybersecurity (we saw massive attacks last year – WannaCry and NotPetya, which brought several high-profile organizations to the knees), users still refuse to believe that they can be victims, and so do companies. They fail to patch their computer systems on time or fall for a cleverly presented phishing email.

Do not forget that, ransomware targets both, organizations and private users. Therefore, do not exclude yourself as a potential victim. Always use strong passwords, install powerful security software, update the software and the OS as soon as new patches are out, and learn to recognize malicious spam emails.

Remove GandCrab v4.1 ransomware using security software

Ransomware-type viruses use a complicated code that might lead to permanent data loss. You need to realize, that manual GandCrab v4.1 removal should not be performed by regular users, as it will end up in a failure. Only trained and highly skilled IT professionals would be able to execute such a task. Therefore, leave it for security software – Reimage or Plumbytes Anti-MalwareNorton Internet Security will work, although you can use any anti-malware program of your liking.

GandCrab v4.1 virus stops certain executable files, so it might prevent security software from starting and operating correctly. In such case, enter Safe Mode with Networking, as explained below. You can also use a video guide that explains how to create a safe environment before you start performing the removal procedure.

Note that you should start recovering your encrypted files only after you remove GandCrab v4.1 from the infected machine. Otherwise, your files will get encrypted again. To recover data, use backups or alternative methods.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove GandCrab v4.1 ransomware you agree to our privacy policy and agreement of use.

What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to uninstall GandCrab v4.1 ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool. More information about this program can be found in Reimage review.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab v4.1 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v4.1. After doing that, click Next.

Now click Yes to start system restore.

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab v4.1 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab v4.1 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by GandCrab v4.1, you can use several methods to restore them:

Try Data Recover Pro

This tool was originally created to redeem files that were accidentally deleted or otherwise corrupted. Nevertheless, experts observed positive results when it comes to Data Recover Pro dealing with ransomware encrypted files.